feat(checks): add ResourceGroup field to all check metadata for resource classification (#9656)

This commit is contained in:
Adrián Peña
2025-12-24 09:13:14 +01:00
committed by GitHub
parent e58e939f55
commit 9bfa1e740c
1140 changed files with 1190 additions and 10 deletions
+26
View File
@@ -237,6 +237,7 @@ Below is a generic example of a check metadata file. **Do not include comments i
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "security",
"Description": "This check verifies that the service resource has the required **security setting** enabled to protect against potential vulnerabilities.\n\nIt ensures that the resource follows security best practices and maintains proper access controls. The check evaluates whether the security configuration is properly implemented and active.",
"Risk": "Without proper security settings, the resource may be vulnerable to:\n\n- **Unauthorized access** - Malicious actors could gain entry\n- **Data breaches** - Sensitive information could be compromised\n- **Security threats** - Various attack vectors could be exploited\n\nThis could result in compliance violations and potential financial or reputational damage.",
"RelatedUrl": "",
@@ -315,6 +316,31 @@ The type of resource being audited. This field helps categorize and organize fin
- **Oracle Cloud Infrastructure**: Use types from [Oracle Cloud Infrastructure documentation](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/Search/Tasks/queryingresources_topic-Listing_Supported_Resource_Types.htm).
- **M365 / GitHub / MongoDB Atlas**: Leave empty due to lack of standardized types.
#### ResourceGroup
A high-level classification that groups checks by the type of cloud resource they audit. This field enables filtering and organizing findings by resource category across all providers. The value must be one of the following predefined groups:
| Group | Description |
|-------|-------------|
| `compute` | Virtual machines, instances, auto-scaling groups, workspaces, streaming |
| `container` | Container orchestration, Kubernetes, registries, pods |
| `serverless` | Functions, step functions, event-driven compute |
| `database` | Relational, NoSQL, caches, search engines, data warehouses, graph databases |
| `storage` | Object storage, block storage, file systems, backups, archives |
| `network` | VPCs, subnets, load balancers, DNS, VPN, firewalls, CDN |
| `IAM` | IAM users, roles, policies, access keys, service accounts, directories |
| `messaging` | Queues, topics, event buses, streaming, email services |
| `security` | WAF, secrets, KMS, certificates, security tools, defenders, DDoS protection |
| `monitoring` | Logs, metrics, alerts, audit trails, observability, config tracking |
| `api_gateway` | API management, REST APIs, GraphQL endpoints |
| `ai_ml` | Machine learning, AI services, notebooks, training, LLM |
| `governance` | Accounts, organizations, projects, policies, settings, compliance tools |
| `collaboration` | Productivity SaaS apps (Exchange, Teams, SharePoint) |
| `devops` | CI/CD, infrastructure as code, automation, code repositories, version control |
| `analytics` | Data warehouses, query engines, ETL pipelines, BI tools, data lakes |
The group is determined by the resource type being audited, not the service. For example, an EC2 security group check would use `network` (not `compute`), while an EC2 instance check would use `compute`.
#### Description
A concise, natural language explanation that **clearly describes what the finding means**, focusing on clarity and context rather than technical implementation details. Use simple paragraphs with line breaks if needed, but avoid sections, code blocks, or complex formatting. This field is limited to maximum 400 characters.
+1
View File
@@ -10,6 +10,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Support AWS European Sovereign Cloud [(#9649)](https://github.com/prowler-cloud/prowler/pull/9649)
- `compute_instance_disk_auto_delete_disabled` check for GCP provider [(#9604)](https://github.com/prowler-cloud/prowler/pull/9604)
- Bedrock service pagination [(#9606)](https://github.com/prowler-cloud/prowler/pull/9606)
- `ResourceGroup` field to all check metadata for resource classification [(#9656)](https://github.com/prowler-cloud/prowler/pull/9656)
### Changed
- Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)
+1
View File
@@ -112,6 +112,7 @@ class CheckMetadata(BaseModel):
ResourceIdTemplate: str
Severity: Severity
ResourceType: str
ResourceGroup: str = Field(default="")
Description: str
Risk: str
RelatedUrl: str
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:actiontrail::account-id:trail",
"Severity": "critical",
"ResourceType": "AlibabaCloudActionTrail",
"ResourceGroup": "monitoring",
"Description": "**ActionTrail** is a web service that records API calls for your account and delivers log files to you.\n\nThe recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the Alibaba Cloud service. ActionTrail provides a history of API calls for an account, including API calls made via the Management Console, SDKs, and command line tools.",
"Risk": "The API call history produced by ActionTrail enables **security analysis**, **resource change tracking**, and **compliance auditing**.\n\nEnsuring that a **multi-region trail** exists will detect unexpected activities occurring in otherwise unused regions. Global Service Logging should be enabled by default to capture events generated on Alibaba Cloud global services, ensuring the recording of management operations performed on all resources in an Alibaba Cloud account.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:oss::account-id:bucket-name",
"Severity": "critical",
"ResourceType": "AlibabaCloudOSSBucket",
"ResourceGroup": "storage",
"Description": "**ActionTrail** logs a record of every API call made in your Alibaba Cloud account. These log files are stored in an **OSS bucket**.\n\nIt is recommended that the **Access Control List (ACL)** of the OSS bucket, which ActionTrail logs to, prevents public access to the ActionTrail logs.",
"Risk": "Allowing **public access** to ActionTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.\n\nExposed audit logs can reveal sensitive information about your infrastructure, API usage patterns, and security configurations.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "The monitoring service in **Kubernetes Engine clusters** depends on the Alibaba Cloud **CloudMonitor** agent to access additional system resources and application services in virtual machine instances.\n\nThe monitor can access metrics about CPU utilization, disk traffic metrics, network traffic, and disk IO information, which help monitor signals and build operations in your Kubernetes Engine clusters.",
"Risk": "Without **CloudMonitor** enabled, you lack visibility into system metrics and custom metrics. System metrics measure the cluster's infrastructure, such as CPU or memory usage.\n\nWith CloudMonitor, a monitor controller is created that periodically connects to each node and collects metrics about its Pods and containers, then sends the metrics to CloudMonitor server.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "**Kubernetes Engine's cluster check** feature helps you verify the system nodes and components healthy status.\n\nWhen you trigger the checking, the process validates the health state of each node in your cluster and also the cluster configuration (`kubelet`, `docker daemon`, `kernel`, and network `iptables` configuration). If there are consecutive health check failures, the diagnose reports to admin for further repair.",
"Risk": "Kubernetes Engine uses the node's health status to determine if a node needs to be repaired. A cluster health check includes: cloud resource healthy status including **VPC/VSwitch**, **SLB**, and every **ECS node** status in the cluster; the `kubelet`, `docker daemon`, `kernel`, `iptables` configurations on every node.\n\nWithout regular cluster checks, potential issues may go undetected and could lead to **cluster instability** or **security vulnerabilities**.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "**Kubernetes Engine's cluster check** feature helps you verify the system nodes and components healthy status.\n\nWhen you trigger the checking, the process validates the health state of each node in your cluster and also the cluster configuration (`kubelet`, `docker daemon`, `kernel`, and network `iptables` configuration). If there are consecutive health check failures, the diagnose reports to admin for further repair.",
"Risk": "Kubernetes Engine uses the node's health status to determine if a node needs to be repaired. A cluster health check includes: cloud resource healthy status including **VPC/VSwitch**, **SLB**, and every **ECS node** status in the cluster; the `kubelet`, `docker daemon`, `kernel`, `iptables` configurations on every node.\n\nWithout regular cluster checks, potential issues may go undetected and could lead to **cluster instability** or **security vulnerabilities**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "**Dashboard** is a web-based Kubernetes user interface that can be used to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster itself.\n\nYou should disable the **Kubernetes Web UI (Dashboard)** when running on Kubernetes Engine. The Dashboard is backed by a highly privileged Kubernetes Service Account. It is recommended to use the **ACK User Console** instead to avoid privilege escalation via a compromised dashboard.",
"Risk": "The **Kubernetes Dashboard** is backed by a highly privileged Service Account. If the Dashboard is compromised, it could allow an attacker to gain **full control** over the cluster and potentially **escalate privileges**.\n\nAttackers who gain access to the Dashboard can deploy malicious workloads, exfiltrate secrets, and compromise the entire cluster.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "Alibaba Cloud **ENI (Elastic Network Interface)** supports assigning ranges of internal IP addresses as aliases to a single virtual machine's ENI network interfaces.\n\nWith **ENI multiple IP mode**, Kubernetes Engine clusters can allocate IP addresses from a CIDR block known to **Terway** network plugin. This makes your cluster more scalable and allows better interaction with other Alibaba Cloud products.",
"Risk": "Without **ENI multiple IP mode** (provided by Terway), pods share the node's network interface in a less scalable way.\n\nUsing ENI multiple IPs allows pod IPs to be reserved within the network ahead of time, preventing conflict with other compute resources, and allows firewall controls for Pods to be applied separately from their nodes.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "**Log Service** is a complete real-time data logging service on Alibaba Cloud supporting collection, shipping, search, storage, and analysis for logs.\n\nLog Service can automatically collect, process, and store your container and audit logs in a dedicated, persistent datastore. Container logs are collected from your containers, audit logs from the `kube-apiserver` or deployed ingress, and events about cluster activity such as the deletion of Pods or Secrets.",
"Risk": "Without **Log Service** enabled, you lose visibility into container and system logs. The per-node logging agent collects: `kube-apiserver` audit logs, ingress visiting logs, and standard output/error logs from containerized processes.\n\nLack of logging makes **incident investigation**, **compliance auditing**, and **security monitoring** significantly more difficult.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "A **Network Policy** is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.\n\n`NetworkPolicy` resources use labels to select pods and define rules which specify what traffic is allowed. By default, pods are non-isolated and accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them.",
"Risk": "Without **Network Policies**, all pods in a Kubernetes cluster can communicate with each other freely. This open communication model allows an attacker who compromises a single pod to potentially move **laterally** within the cluster and access sensitive services or data.\n\nNetwork Policies are essential for implementing **defense in depth** and **least privilege** networking.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "A **private cluster** is a cluster that makes your master inaccessible from the public internet.\n\nIn a private cluster, nodes do not have public IP addresses, so your workloads run in an environment that is isolated from the internet. Nodes and masters communicate with each other privately using **VPC peering**.",
"Risk": "Exposing the **API server endpoint** to the public internet increases the attack surface of your cluster. Attackers can attempt to probe for vulnerabilities, perform **brute force attacks**, or exploit misconfigurations if the API server is publicly accessible.\n\nUsing a private cluster significantly reduces network security risks.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:cs:region:account-id:cluster/{cluster-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudKubernetesCluster",
"ResourceGroup": "container",
"Description": "In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions.\n\nTo ensure that **RBAC** limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, helps ensure that users only have access to specific cluster resources within their own namespace, and is now stable in Kubernetes.",
"Risk": "In Kubernetes, **RBAC** is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions.\n\nWithout RBAC, legacy authorization mechanisms like **ABAC** grant **overly broad permissions**, increasing the risk of unauthorized access and privilege escalation.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSDisk",
"ResourceGroup": "storage",
"Description": "**ECS cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.\n\nEnsure that disks are encrypted when they are created with the creation of VM instances.",
"Risk": "**Unencrypted disks** attached to ECS instances pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nData at rest without encryption is vulnerable to **unauthorized access** if storage media is lost, stolen, or improperly decommissioned.",
"RelatedUrl": "",
@@ -14,6 +14,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSInstance",
"ResourceGroup": "compute",
"Description": "Installing **endpoint protection systems** (like **Security Center** for Alibaba Cloud) provides real-time protection capability that helps identify and remove viruses, spyware, and other malicious software.\n\nConfigurable alerts notify when known malicious software attempts to install itself or run on ECS instances.",
"Risk": "ECS instances without **endpoint protection** are vulnerable to **malware**, **viruses**, and other security threats.\n\nEndpoint protection provides real-time monitoring and protection capabilities essential for detecting and preventing security incidents.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSInstance",
"ResourceGroup": "compute",
"Description": "Windows and Linux virtual machines should be kept updated to address specific bugs or flaws, improve OS or application's general stability, and fix **security vulnerabilities**.\n\nThe Alibaba Cloud **Security Center** checks for the latest updates in Linux and Windows systems.",
"Risk": "**Unpatched systems** are vulnerable to known security exploits and may be compromised by attackers.\n\nKeeping systems updated with the latest patches is critical for maintaining security and preventing **exploitation of known vulnerabilities**.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:instance/{instance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudECSInstance",
"ResourceGroup": "compute",
"Description": "In order to prevent use of **legacy networks**, ECS instances should not have a legacy network configured.\n\nLegacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. With legacy networks, you cannot create subnetworks or switch from legacy to auto or custom subnet networks.",
"Risk": "**Legacy networks** can have an impact on high network traffic ECS instances and are subject to a **single point of failure**.\n\nThey also lack the security isolation and network segmentation capabilities provided by **VPCs**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSSecurityGroup",
"ResourceGroup": "network",
"Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **3389 (RDP)**.",
"Risk": "Removing unfettered connectivity to remote console services, such as **RDP**, reduces a server's exposure to risk.\n\nUnrestricted RDP access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of RDP vulnerabilities**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:security-group/{security-group-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSSecurityGroup",
"ResourceGroup": "network",
"Description": "**Security groups** provide stateful filtering of ingress/egress network traffic to Alibaba Cloud resources.\n\nIt is recommended that no security group allows unrestricted ingress access to port **22 (SSH)**.",
"Risk": "Removing unfettered connectivity to remote console services, such as **SSH**, reduces a server's exposure to risk.\n\nUnrestricted SSH access from the internet (`0.0.0.0/0`) exposes systems to **brute force attacks**, **credential stuffing**, and **exploitation of SSH vulnerabilities**.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:ecs:region:account-id:disk/{disk-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudECSDisk",
"ResourceGroup": "storage",
"Description": "**Cloud disk encryption** protects your data at rest. The cloud disk data encryption feature automatically encrypts data when data is transferred from ECS instances to disks, and decrypts data when read from disks.",
"Risk": "**Unencrypted unattached disks** pose a security risk as they may contain sensitive data that could be accessed if the disk is compromised or accessed by unauthorized parties.\n\nUnattached disks are especially vulnerable as they may be forgotten or not monitored, increasing the risk of **unauthorized access**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:oss::account-id:bucket-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudOSSBucket",
"ResourceGroup": "storage",
"Description": "**OSS Bucket Access Logging** generates a log that contains access records for each request made to your OSS bucket.\n\nAn access log record contains details about the request, such as the request type, the resources specified in the request, and the time and date the request was processed. It is recommended that bucket access logging be enabled on OSS buckets.",
"Risk": "By enabling **OSS bucket logging** on target OSS buckets, it is possible to capture all events which may affect objects within target buckets.\n\nConfiguring logs to be placed in a separate bucket allows access to log information useful in **security** and **incident response** workflows.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:oss::account-id:bucket-name",
"Severity": "critical",
"ResourceType": "AlibabaCloudOSSBucket",
"ResourceGroup": "storage",
"Description": "A bucket is a container used to store objects in **Object Storage Service (OSS)**. All objects in OSS are stored in buckets.\n\nIt is recommended that the access policy on OSS buckets does not allow **anonymous** and/or **public access**.",
"Risk": "Allowing **anonymous** and/or **public access** grants permissions to anyone to access bucket content. Such access might not be desired if you are storing any sensitive data.\n\nPublic buckets can lead to **data breaches**, **unauthorized data access**, and **compliance violations**.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:oss::account-id:bucket-name",
"Severity": "high",
"ResourceType": "AlibabaCloudOSSBucket",
"ResourceGroup": "storage",
"Description": "Enable **data encryption in transit**. The secure transfer enhances the security of OSS buckets by only allowing requests to the storage account via a secure connection.\n\nFor example, when calling REST APIs to access storage accounts, the connection must use **HTTPS**. Any requests using HTTP will be rejected.",
"Risk": "Without **secure transfer enforcement**, OSS buckets may accept HTTP requests, which are not encrypted in transit.\n\nThis exposes data to potential **interception** and **man-in-the-middle attacks**, compromising data confidentiality and integrity.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:root",
"Severity": "critical",
"ResourceType": "AlibabaCloudRAMAccessKey",
"ResourceGroup": "IAM",
"Description": "Ensure no **root account access key** exists. Access keys provide programmatic access to a given Alibaba Cloud account.\n\nIt is recommended that all access keys associated with the root account be removed.",
"Risk": "The **root account** is the most privileged user in an Alibaba Cloud account. Access Keys provide programmatic access to a given Alibaba Cloud account.\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised and encourages the creation and use of **role-based accounts** that are least privileged.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **lowercase letter**.",
"Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without character variety are more susceptible to dictionary attacks and automated password cracking tools.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can temporarily block logon after several incorrect logon attempts within an hour.\n\nIt is recommended that the password policy is set to temporarily block logon after **5 incorrect logon attempts** within an hour.",
"Risk": "Temporarily blocking logon for incorrect password input increases account resiliency against **brute force logon attempts**.\n\nThis control helps prevent automated password guessing attacks from succeeding.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can require passwords to be expired after a given number of days.\n\nIt is recommended that the password policy expire passwords after **365 days** or greater.",
"Risk": "Too frequent password changes are more harmful than beneficial. They offer no containment benefits and enforce bad habits, since they encourage users to choose variants of older passwords.\n\nThe CIS now recommends an **annual password reset** as a balanced approach.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require a minimum of **14 or greater characters** for any password.",
"Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nLonger passwords provide exponentially more security against automated password cracking.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **number**.",
"Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without numeric characters are more susceptible to dictionary attacks.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "It is recommended that the **password policy** prevent the reuse of passwords.\n\nThis ensures users cannot cycle back to previously compromised passwords.",
"Risk": "Preventing **password reuse** increases account resiliency against brute force logon attempts.\n\nIf a password is compromised and later reused, attackers with knowledge of old credentials can regain access.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **symbol**.",
"Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nSpecial characters significantly increase the keyspace that attackers must search.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:password-policy",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMPasswordPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM password policies** can be used to ensure password complexity.\n\nIt is recommended that the password policy require at least one **uppercase letter**.",
"Risk": "Enhancing complexity of a password policy increases account resiliency against **brute force logon attempts**.\n\nWeak passwords without case variety are more susceptible to dictionary attacks.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:user/{user-name}",
"Severity": "low",
"ResourceType": "AlibabaCloudRAMUser",
"ResourceGroup": "IAM",
"Description": "By default, **RAM users**, groups, and roles have no access to Alibaba Cloud resources. RAM policies are the means by which privileges are granted to users, groups, or roles.\n\nIt is recommended that RAM policies be applied directly to **groups and roles** but not users.",
"Risk": "Assigning privileges at the **group or role level** reduces the complexity of access management as the number of users grows.\n\nReducing access management complexity may in turn reduce opportunity for a principal to inadvertently receive or retain **excessive privileges**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:policy/{policy-name}",
"Severity": "critical",
"ResourceType": "AlibabaCloudRAMPolicy",
"ResourceGroup": "IAM",
"Description": "**RAM policies** represent permissions that can be granted to users, groups, or roles. It is recommended to grant **least privilege**—that is, granting only the permissions required to perform tasks.\n\nDetermine what users need to do and then create policies with permissions that only fit those tasks, instead of allowing full administrative privileges.",
"Risk": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary. Providing **full administrative privileges** exposes your resources to potentially unwanted actions.\n\nRAM policies with `\"Effect\": \"Allow\"`, `\"Action\": \"*\"`, and `\"Resource\": \"*\"` should be prohibited.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:user/{user-name}/accesskey/{access-key-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMAccessKey",
"ResourceGroup": "IAM",
"Description": "An **access key** consists of an access key ID and a secret, which are used to sign programmatic requests that you make to Alibaba Cloud.\n\nRAM users need their own access keys to make programmatic calls from SDKs, CLIs, or direct API calls. It is recommended that all access keys be **regularly rotated**.",
"Risk": "Access keys might be compromised by leaving them in code, configuration files, on-premise and cloud storages, and then stolen by attackers.\n\n**Rotating access keys** reduces the window of opportunity for a compromised access key to be used.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:user/{user-name}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRAMUser",
"ResourceGroup": "IAM",
"Description": "Alibaba Cloud **RAM users** can log on to the Alibaba Cloud console by using their username and password.\n\nIf a user has not logged on for **90 days or longer**, it is recommended to disable the console access of the user.",
"Risk": "Disabling users from having unnecessary logon privileges will reduce the opportunity that an **abandoned user** or a user with **compromised password** to be exploited.\n\nInactive accounts are common targets for attackers attempting account takeover.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:ram::account-id:user/{user-name}",
"Severity": "high",
"ResourceType": "AlibabaCloudRAMUser",
"ResourceGroup": "IAM",
"Description": "**Multi-Factor Authentication (MFA)** adds an extra layer of protection on top of a username and password.\n\nWith MFA enabled, when a user logs on to Alibaba Cloud, they will be prompted for their username and password followed by an authentication code from their virtual MFA device. It is recommended that MFA be enabled for all users that have a console password.",
"Risk": "**MFA** requires users to verify their identities by entering two authentication factors. When MFA is enabled, an attacker faces at least two different authentication mechanisms.\n\nThe additional security makes it significantly harder for an attacker to gain access even if passwords are compromised.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "critical",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Database Server should accept connections only from trusted **Network(s)/IP(s)** and restrict access from the world.\n\nTo minimize attack surface on a Database server Instance, only trusted/known and required IPs should be whitelisted. Authorized network should not have IPs/networks configured to `0.0.0.0` or `/0` which would allow access from anywhere in the world.",
"Risk": "Allowing **public access** (`0.0.0.0/0`) to the database significantly increases the risk of **brute-force attacks**, **unauthorized access**, and **data exfiltration**.\n\nDatabases exposed to the internet are prime targets for attackers.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Enable `log_connections` on **PostgreSQL Servers**. Enabling `log_connections` helps PostgreSQL Database log attempted connections to the server, as well as successful completion of client authentication.\n\nLog data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
"Risk": "Without **connection logging**, unauthorized access attempts might go unnoticed, and troubleshooting connection issues becomes more difficult.\n\nThis data is essential for **security monitoring** and **incident investigation**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Enable `log_disconnections` on **PostgreSQL Servers**. Enabling `log_disconnections` helps PostgreSQL Database log session terminations of the server, as well as duration of the session.\n\nLog data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.",
"Risk": "Without **disconnection logging**, it's harder to track session durations and identify abnormal disconnection patterns that might indicate **attacks** or **stability issues**.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Enable `log_duration` on **PostgreSQL Servers**. Enabling `log_duration` helps PostgreSQL Database log the duration of each completed SQL statement which in turn generates query and error logs.\n\nQuery and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.",
"Risk": "Without **duration logging**, it's difficult to identify **slow queries**, **performance bottlenecks**, and potential **DoS attempts**.\n\nThis information is critical for database performance tuning and security monitoring.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Enable **SQL auditing** on all RDS instances (except SQL Server 2012/2016/2017 and MariaDB TX). Auditing tracks database events and writes them to an audit log.\n\nIt helps to maintain **regulatory compliance**, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.",
"Risk": "Without **SQL auditing**, it's difficult to detect **unauthorized access**, **data breaches**, or **malicious activity** within the database.\n\nIt also hinders **forensic investigations** and compliance reporting.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Database **SQL Audit Retention** should be configured to be greater than or equal to the configured period (default: **6 months / 180 days**).\n\nAudit Logs can be used to check for anomalies and give insight into suspected breaches or misuse of information and access.",
"Risk": "**Short retention periods** for audit logs can result in the loss of critical forensic data needed for **incident investigation** and **compliance auditing**.\n\nMany regulations require minimum retention periods for audit data.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "It is recommended to enforce all incoming connections to SQL database instances to use **SSL**.\n\nSQL database connections if successfully intercepted (MITM) can reveal sensitive data like credentials, database queries, and query outputs. For security, it is recommended to always use SSL encryption when connecting to your instance.",
"Risk": "If **SSL is not enabled**, data in transit (including credentials and query results) can be intercepted by attackers performing **Man-in-the-Middle (MITM) attacks**.\n\nThis compromises data confidentiality and integrity.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "Enable **Transparent Data Encryption (TDE)** on every RDS instance. RDS Database TDE helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and log files at rest.\n\nNo changes to the application are required.",
"Risk": "**Data at rest** that is not encrypted is vulnerable to unauthorized access if the underlying storage media or backups are compromised.\n\nTDE protects against physical theft and unauthorized access to storage systems.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:rds:region:account-id:dbinstance/{dbinstance-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudRDSDBInstance",
"ResourceGroup": "database",
"Description": "**TDE with BYOK** support provides increased transparency and control, increased security with an HSM-backed KMS service, and promotion of separation of duties.\n\nBased on business needs or criticality of data, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (**BYOK**).",
"Risk": "Using **service-managed keys** means the cloud provider manages the encryption keys. **BYOK (Bring Your Own Key)** gives you full control over the key lifecycle and permissions.\n\nThis ensures that even the cloud provider cannot access your data without your explicit permission.",
"RelatedUrl": "",
@@ -15,6 +15,7 @@
"ResourceIdTemplate": "acs:sas::account-id:security-center",
"Severity": "medium",
"ResourceType": "AlibabaCloudSecurityCenter",
"ResourceGroup": "security",
"Description": "The **Advanced or Enterprise Edition** enables threat detection for network and endpoints, providing **malware detection**, **webshell detection**, and **anomaly detection** in Security Center.",
"Risk": "Using **Basic or Free Edition** of Security Center may not provide comprehensive protection against cloud threats.\n\n**Advanced or Enterprise Edition** allows for full protection to defend against cloud threats.",
"RelatedUrl": "",
@@ -14,6 +14,7 @@
"ResourceIdTemplate": "acs:sas:region:account-id:machine/{machine-id}",
"Severity": "high",
"ResourceType": "AlibabaCloudSecurityCenterMachine",
"ResourceGroup": "security",
"Description": "The endpoint protection of **Security Center** requires an agent to be installed on the endpoint to work. Such an agent-based approach allows the security center to provide comprehensive endpoint intrusion detection and protection capabilities.\n\nThis includes remote logon detection, **webshell detection** and removal, **anomaly detection** (detection of abnormal process behaviors and network connections), and detection of changes in key files and suspicious accounts.",
"Risk": "Assets without **Security Center agent** installed are not protected by endpoint intrusion detection and protection capabilities, leaving them vulnerable to security threats.\n\nUnprotected assets become blind spots in your security monitoring.",
"RelatedUrl": "",
@@ -14,6 +14,7 @@
"ResourceIdTemplate": "acs:sas::account-id:notice-config/{project}",
"Severity": "medium",
"ResourceType": "AlibabaCloudSecurityCenterNoticeConfig",
"ResourceGroup": "security",
"Description": "Enable all **risk item notifications** in Vulnerability, Baseline Risks, Alerts, and AccessKey Leak event detection categories.\n\nThis ensures that relevant security operators receive notifications as soon as security events occur.",
"Risk": "Without **notifications enabled** for high-risk items, security operators may not be aware of critical security events in a timely manner, potentially leading to **delayed response** and **increased security exposure**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:sas::account-id:vulnerability-scan-config",
"Severity": "high",
"ResourceType": "AlibabaCloudSecurityCenterVulConfig",
"ResourceGroup": "security",
"Description": "Ensure that **scheduled vulnerability scan** is enabled on all servers.\n\nBe sure that vulnerability scanning is performed periodically to discover system vulnerabilities in time.",
"Risk": "Without **scheduled vulnerability scans** enabled, system vulnerabilities may not be discovered in a timely manner, leaving systems exposed to **known security threats** and **exploits**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a **metric filter and alarm** be established for **Cloud Firewall** rule changes.",
"Risk": "Monitoring for **Create** or **Update** firewall rule events gives insight into network access changes and may reduce the time it takes to detect **suspicious activity**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for customer-created **KMS keys** which have changed state to disabled or deletion.",
"Risk": "Data encrypted with **disabled or deleted keys** will no longer be accessible.\n\nThis could lead to **data loss** or **business disruption** if keys are inadvertently or maliciously disabled.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/logstore/logstore-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSLogStore",
"ResourceGroup": "monitoring",
"Description": "Ensure **Activity Log Retention** is set for **365 days** or greater.",
"Risk": "Logstore lifecycle controls how your activity log is exported and retained. It is recommended to retain your activity log for **365 days or more** to have time to respond to any incidents.\n\nShort retention periods may result in loss of **forensic evidence** needed for security investigations.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **failed console authentication attempts**.",
"Risk": "Monitoring **failed console logins** may decrease lead time to detect an attempt to **brute force** a credential, which may provide an indicator (such as source IP) that can be used in other event correlation.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for console logins that are not protected by **multi-factor authentication (MFA)**.",
"Risk": "Monitoring for **single-factor console logins** will increase visibility into accounts that are not protected by MFA.\n\nThis helps identify potential security gaps in authentication enforcement.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for changes to **OSS bucket policies**.",
"Risk": "Monitoring changes to **OSS bucket policies** may reduce time to detect and correct **permissive policies** on sensitive OSS buckets.\n\nThis helps prevent unintended data exposure.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a **metric filter and alarm** be established for **OSS Bucket RAM** changes.",
"Risk": "Monitoring changes to **OSS permissions** may reduce time to detect and correct permissions on sensitive OSS buckets and objects inside the bucket.\n\nThis helps prevent **unauthorized access** to stored data.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a query and alarm be established for **RAM Role** creation, deletion, and updating activities.",
"Risk": "Monitoring **role creation**, **deletion**, and **updating** activities will help in identifying potential **malicious actions** at an early stage.\n\nUnauthorized role changes could lead to privilege escalation.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a **metric filter and alarm** be established for **RDS Instance** configuration changes.",
"Risk": "Monitoring changes to **RDS Instance configuration** may reduce time to detect and correct **misconfigurations** done on database servers.\n\nThis helps prevent security gaps in database deployments.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **root account login** attempts.",
"Risk": "Monitoring for **root account logins** will provide visibility into the use of a fully privileged account and an opportunity to reduce its use.\n\nRoot account usage should be minimized and closely monitored.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\n**Security Groups** are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a query and alarm be established for changes to Security Groups.",
"Risk": "Monitoring changes to **security groups** will help ensure that resources and services are not unintentionally exposed.\n\nUnauthorized security group modifications could lead to **network exposure** and **unauthorized access**.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "Real-time monitoring of API calls can be achieved by directing **ActionTrail Logs** to Log Service and establishing corresponding query and alarms.\n\nIt is recommended that a query and alarm be established for **unauthorized API calls**.",
"Risk": "Monitoring **unauthorized API calls** will help reveal application errors and may reduce time to detect **malicious activity**.\n\nThis is essential for early detection of potential security breaches.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a **log search/analysis query and alarm** be established for **VPC changes**.",
"Risk": "Monitoring changes to **VPC** will help ensure VPC traffic flow is not getting impacted.\n\nUnauthorized VPC modifications could disrupt network connectivity or create security vulnerabilities.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:log:region:account-id:project/project-name/alert/alert-name",
"Severity": "medium",
"ResourceType": "AlibabaCloudSLSAlert",
"ResourceGroup": "monitoring",
"Description": "It is recommended that a **metric filter and alarm** be established for **VPC network route** changes.",
"Risk": "Monitoring changes to **route tables** will help ensure that all VPC traffic flows through an expected path.\n\nUnauthorized route changes could redirect traffic through malicious intermediaries.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "acs:vpc:region:account-id:vpc/{vpc-id}",
"Severity": "medium",
"ResourceType": "AlibabaCloudVPC",
"ResourceGroup": "network",
"Description": "You can use the **flow log function** to monitor the IP traffic information for an ENI, a VSwitch, or a VPC.\n\nIf you create a flow log for a VSwitch or a VPC, all the **Elastic Network Interfaces**, including the newly created ones, are monitored. Such flow log data is stored in **Log Service**, where you can view and analyze IP traffic information. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.",
"Risk": "**VPC Flow Logs** provide visibility into network traffic that traverses the VPC and can be used to detect **anomalous traffic** or provide insight during security workflows.\n\nWithout flow logs, it is difficult to investigate network-based security incidents.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Other",
"ResourceGroup": "security",
"Description": "**IAM Access Analyzer** presence and status are evaluated per account and Region. An analyzer in `ACTIVE` state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.",
"Risk": "Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.",
"RelatedUrl": "",
@@ -13,6 +13,7 @@
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Other",
"ResourceGroup": "security",
"Description": "**IAM Access Analyzer** analyzers are in `Active` state and currently report zero `Active` findings within their scope of monitored resources.",
"Risk": "Unresolved `Active` findings indicate unintended external or internal access paths.\n- **Confidentiality**: public/cross-account reads of data (buckets, snapshots, secrets)\n- **Integrity**: rogue role assumption or KMS use enabling policy/data changes\n- **Lateral movement** across accounts",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "governance",
"Description": "**AWS account contact information** is current for the **primary contact** and the **alternate contacts** for `security`, `billing`, and `operations`, with accurate email addresses and phone numbers.",
"Risk": "Outdated or single-person contacts delay **security notifications**, slow **incident response**, and complicate **account recovery**.\n\nAWS may throttle services during abuse mitigation, reducing **availability**. Missed alerts enable ongoing misuse, risking **data exfiltration** and unauthorized changes (**integrity**).",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "governance",
"Description": "**AWS account alternate contacts** are defined for **Security**, **Billing**, and **Operations** with `name`, `email`, and `phone`. The finding evaluates that all three exist, are distinct from one another, and differ from the **primary (root) contact**.",
"Risk": "Missing or shared contacts can delay response to abuse alerts, credential compromise, or billing anomalies, reducing **availability** (possible AWS traffic throttling) and raising **confidentiality** and **integrity** risk through extended exposure. If AWS cannot reach you, urgent mitigation may disrupt service.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "governance",
"Description": "Account settings contain a **Security alternate contact** in Alternate Contacts (name, `EmailAddress`, `PhoneNumber`) for targeted AWS security notifications.",
"Risk": "Missing or outdated **security contact** can delay or prevent AWS advisories from reaching responders, increasing risk to:\n- Confidentiality: data exfiltration from undetected compromise\n- Integrity: unauthorized changes persist longer\n- Availability: resource abuse (e.g., cryptomining) and outages",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "governance",
"Description": "[DEPRECATED] **AWS account root** configuration may include legacy **security challenge questions** for support identity verification. This evaluates whether those questions are set on the account. *New configuration is discontinued by AWS and remaining support for this feature is time-limited.*",
"Risk": "Absence of these questions can limit support-assisted recovery if root credentials or MFA are lost, reducing **availability** and slowing **incident response**. Reliance on KBA also weakens **confidentiality** due to **social engineering**. Treat this as a recovery gap and adopt stronger, phishing-resistant factors.",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsCertificateManagerCertificate",
"ResourceGroup": "security",
"Description": "**ACM certificates** are assessed for **time to expiration** against a configurable threshold. Certificates close to end of validity or already expired are surfaced, covering those attached to services and, *if in scope*, unused ones.",
"Risk": "Expired or near-expiry **TLS certificates** can break handshakes, causing **service outages** and failed API calls (**availability**). Emergency fixes raise misconfiguration risk, enabling disabled verification or weak ciphers, which allows **MITM** and data exposure (**confidentiality**/**integrity**).",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsCertificateManagerCertificate",
"ResourceGroup": "security",
"Description": "**ACM-issued certificates** are checked for **Certificate Transparency (CT) logging** being enabled. Certificates with type `IMPORTED` are excluded from evaluation.",
"Risk": "Disabling **CT logging** reduces visibility into **misissued or rogue certificates**, weakening confidentiality and integrity. Attackers can **impersonate sites** or run **TLS man-in-the-middle** without timely detection. Unlogged public certs may be distrusted by browsers, impacting availability and user trust.",
"RelatedUrl": "",
@@ -13,12 +13,13 @@
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsCertificateManagerCertificate",
"ResourceGroup": "security",
"Description": "**ACM certificates** are evaluated for the **public key algorithm and size**, identifying those that use weak parameters such as `RSA-1024` or ECDSA `P-192`. Certificates using `RSA-2048+` or ECDSA `P-256+` meet the secure baseline.",
"Risk": "**Weak certificate keys** reduce TLS confidentiality and authenticity.\n\nFeasible factoring or discrete log attacks can reveal private keys, enabling **man-in-the-middle**, session decryption, and **certificate spoofing**, leading to data exposure and tampering.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://noise.getoto.net/2022/11/08/how-to-evaluate-and-use-ecdsa-certificates-in-aws-certificate-manager/",
"https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html"
"https://docs.aws.amazon.com/acm/latest/userguide/data-protection.html"
],
"Remediation": {
"Code": {
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayRestApi",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway REST APIs** are evaluated for **access control**: an **API-level authorizer** is present, or all resource methods use an authorization mechanism. Methods marked `NONE` indicate unauthenticated access.",
"Risk": "**Unauthenticated API methods** enable:\n- Arbitrary reads exposing data (**confidentiality**)\n- Unauthorized actions against backends (**integrity**)\n- Abuse and high traffic causing cost spikes or outages (**availability**)\n\nAttackers can enumerate endpoints and invoke integrations without tokens.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayStage",
"ResourceGroup": "api_gateway",
"Description": "API Gateway REST API stages with caching have **cache data encrypted at rest**. The evaluation targets stages where caching is enabled and verifies that stored responses are protected via the `Encrypt cache data` setting.",
"Risk": "Unencrypted cache contents can expose response payloads, tokens, or PII if cache storage, backups, or admin tooling are accessed outside normal controls, harming **confidentiality** and enabling replay or session hijacking.\n\nDisclosure also reveals API patterns, aiding **lateral movement** and targeted abuse.",
"RelatedUrl": "",
@@ -13,6 +13,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayStage",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway stage** has a **client certificate** configured so HTTP/S integrations can perform **mutual TLS** and authenticate API Gateway to the backend",
"Risk": "Without client authentication to the backend, requests cannot be proven to originate from API Gateway. Direct calls to the backend may bypass gateway policies, enabling unauthorized access and data tampering. This degrades **integrity** and **confidentiality** and reduces auditability.",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayStage",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway REST API stages** with **stage logging** enabled to emit execution or access logs to CloudWatch",
"Risk": "Without stage logging, API activity lacks visibility, hindering detection of abuse and incident response.\nAttackers can probe endpoints, exfiltrate data, or tamper integrations without traces, impacting confidentiality, integrity, and availability and blocking forensic investigation.",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayRestApi",
"ResourceGroup": "api_gateway",
"Description": "**Amazon API Gateway REST APIs** are evaluated for endpoint exposure: **internet-accessible** endpoints versus **private VPC-only** access via interface VPC endpoints (`AWS PrivateLink`).",
"Risk": "Internet exposure increases attack surface:\n- **Confidentiality**: misconfigured or anonymous methods can leak data\n- **Integrity**: unauthorized calls can change backend state\n- **Availability/cost**: bots or DDoS can exhaust capacity and spike spend",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayRestApi",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway REST APIs** exposed to the Internet are evaluated for an attached **authorizer** that enforces caller identity (Lambda authorizer or Cognito user pool) on method invocations.\n\nFocus is on whether public endpoints require authenticated requests rather than accepting anonymous calls.",
"Risk": "Without an **authorizer** on a public API, anonymous callers can:\n- Read or alter data (confidentiality/integrity)\n- Trigger backend actions, impacting systems\n- Abuse traffic, degrading availability and inflating costs\n\nEndpoint enumeration also enables broader discovery and lateral movement.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsApiGatewayStage",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway REST API stages** have **AWS X-Ray active tracing** enabled to sample incoming requests and produce distributed traces across connected services.",
"Risk": "Without X-Ray tracing, you lose end-to-end visibility, hindering detection of timeouts, errors, and anomalous latency.\n\nThis delays incident response and root-cause analysis, increasing MTTR and risking partial outages (availability) and undetected integration failures (integrity).",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayStage",
"ResourceGroup": "api_gateway",
"Description": "**Amazon API Gateway (REST API)** stages are assessed for an associated **AWS WAF web ACL**. The finding reflects whether a `web ACL` is linked at the stage level.",
"Risk": "Absent a **WAF web ACL**, APIs are exposed to application-layer threats that impact CIA:\n- Confidentiality: data exfiltration via injection\n- Integrity: parameter tampering and path traversal\n- Availability: L7 floods, bot abuse, resource exhaustion\n*Public endpoints face heightened risk.*",
"RelatedUrl": "",
@@ -13,6 +13,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayV2Stage",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway v2** stages have **access logging** configured to capture request details and deliver them to a logging destination (e.g., CloudWatch Logs or Firehose). The evaluation looks for logging being enabled at each API stage.",
"Risk": "Without access logs, API calls lack traceability, making it hard to spot credential misuse, route abuse, or anomalous traffic.\n\nThis reduces confidentiality and integrity through undetected data access or manipulation, and impacts availability by slowing incident response.",
"RelatedUrl": "",
@@ -15,6 +15,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsApiGatewayV2Api",
"ResourceGroup": "api_gateway",
"Description": "**API Gateway v2 APIs** use **authorizers** (JWT/Cognito or Lambda) to authenticate requests. This evaluates whether an API has an authorizer configured to control access to its routes.",
"Risk": "Without an authorizer, anyone can invoke routes.\n- Confidentiality: exposure of data and metadata\n- Integrity: unauthorized state changes or actions\n- Availability/Cost: automated abuse of backends, traffic spikes, and unexpected spend",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "compute",
"Description": "**Amazon AppStream fleets** are assessed for the `EnableDefaultInternetAccess` setting, identifying fleets where streaming instances have default Internet connectivity.",
"Risk": "**Direct Internet access** gives streaming instances public exposure. Threats include:\n- Remote exploitation and malware, undermining **confidentiality** and **integrity**\n- Uncontrolled egress enabling **data exfiltration**\n\nIt also enforces ~100-instance limits, reducing **availability** for high-concurrency deployments.",
"RelatedUrl": "",
@@ -10,6 +10,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "compute",
"Description": "**AppStream fleets** enforce a **maximum user session duration**. This finding evaluates each fleet's configured limit against a threshold-default `10 hours` (`36000` seconds)-and identifies fleets whose session duration exceeds that limit.",
"Risk": "Overlong sessions widen the window for **session hijacking**, **lateral movement**, and **data exfiltration** if endpoints or tokens are compromised. Reduced reauthentication weakens **confidentiality** and **integrity**, and extended access can increase **costs** and resource contention.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "compute",
"Description": "**AppStream fleets** are evaluated for `DisconnectTimeoutInSeconds` being at or below `300` seconds (5 minutes), which defines how long a streaming session remains active after a user disconnects.",
"Risk": "Long disconnect times keep sessions active, enabling **session hijacking** or unintended reconnection on lost/stolen devices. This raises data exposure (confidentiality), permits unauthorized actions (integrity), and ties up capacity and costs (availability/operations).",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Other",
"ResourceGroup": "compute",
"Description": "**Amazon AppStream fleets** are evaluated for the **idle disconnect timeout** setting, confirming it is configured to `10 minutes` (`<=600s`) or less before inactive users are dropped and the session's `disconnect_timeout` window begins.",
"Risk": "**Long idle sessions** keep desktops/apps accessible without user presence, enabling **session hijacking**, **shoulder surfing**, and **data exposure**. They also **consume capacity** and extend **billing**, reducing **availability** for other users.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAppSyncGraphQLApi",
"ResourceGroup": "api_gateway",
"Description": "**AWS AppSync GraphQL APIs** have **field-level logging** configured at the resolver level. The check looks for log levels of `ERROR` or `ALL` to confirm field resolution events are recorded.",
"Risk": "Without **field-level logs**, resolver access and mutations lack **auditability**, reducing detection of data exfiltration and tampering (**confidentiality and integrity**). Limited traces hinder incident response and root-cause analysis, increasing recovery time.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsAppSyncGraphQLApi",
"ResourceGroup": "api_gateway",
"Description": "**AWS AppSync GraphQL APIs** are examined for the default authorization type. The finding indicates an API configured with `API_KEY` instead of IAM, Cognito, OIDC, or Lambda authorizers.",
"Risk": "Static **API keys** can be leaked or reused, enabling unauthorized queries and mutations.\n- **Confidentiality**: unrestricted data reads\n- **Integrity**: unauthorized writes and schema misuse\n- **Accountability**: no user identity for auditing, difficult revocation and scoping",
"RelatedUrl": "",
@@ -13,6 +13,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAthenaWorkGroup",
"ResourceGroup": "analytics",
"Description": "**Athena workgroups** are evaluated for **encryption of query results** to confirm result data is stored encrypted at rest, whether saved in Amazon S3 or via managed query results",
"Risk": "Unencrypted query outputs can be read at rest by unintended principals through S3 misconfigurations or cross-account access.\n\nImpact: **Confidentiality loss**, enabling **data exfiltration** and supporting **lateral movement** by exposing sensitive fields outside intended boundaries.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAthenaWorkGroup",
"ResourceGroup": "analytics",
"Description": "**Athena workgroups** that set `enforce_workgroup_configuration=true` apply the **workgroup's settings** to every query, overriding client-side options for results location, expected bucket owner, encryption, and control of objects written to the results bucket.",
"Risk": "Without enforcement, clients may disable or change result **encryption**, redirect outputs to unintended or cross-account buckets, and bypass retention controls.\n\nThis enables data exposure (C), result tampering (I), and weak auditability, complicating incident response.",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAthenaWorkGroup",
"ResourceGroup": "analytics",
"Description": "**Athena workgroups** publish **query metrics** to CloudWatch. This evaluation determines whether each workgroup has query activity logging enabled in CloudWatch.",
"Risk": "Without CloudWatch query logging, risky or anomalous queries go unobserved, weakening **confidentiality** and **integrity**. Compromised or insider accounts can exfiltrate data and alter datasets without timely detection, hampering forensics and containment.",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsAutoScalingLaunchConfiguration",
"ResourceGroup": "compute",
"Description": "[DEPRECATED] EC2 Auto Scaling launch configurations are analyzed for **secrets** embedded in `User Data`, such as passwords, tokens, or API keys in bootstrapping scripts.",
"Risk": "Secrets in `User Data` erode **confidentiality** and **integrity**:\n- Instance users or processes can read or log them\n- Exposed keys enable unauthorized API calls, data exfiltration, and lateral movement\n- Credential reuse increases blast radius across accounts and services",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAutoScalingAutoScalingGroup",
"ResourceGroup": "compute",
"Description": "**EC2 Auto Scaling groups** use **Capacity Rebalancing** to act on EC2 `rebalance` recommendations by launching replacement Spot instances and terminating at-risk ones after they are healthy.\n\n*Assesses whether this proactive replacement behavior is enabled.*",
"Risk": "Without **Capacity Rebalancing**, Spot interruptions can drop targets and reduce capacity, causing timeouts, 5xx spikes, and backlog growth. The two-minute notice is often insufficient, reducing service **availability** and increasing the chance of cascading failures and slow recovery.",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsAutoScalingAutoScalingGroup",
"ResourceGroup": "compute",
"Description": "EC2 Auto Scaling groups attached to a load balancer are evaluated for **ELB-based health checks** that use the load balancer's target health instead of instance-only checks.",
"Risk": "Without **ELB health checks**, the group may keep instances that fail load balancer probes, causing:\n- Reduced **availability** from routing to bad targets\n- Higher error rates impacting transaction **integrity**\n- Inefficient scaling and increased **costs**",
"RelatedUrl": "",
@@ -12,6 +12,7 @@
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsAutoScalingAutoScalingGroup",
"ResourceGroup": "compute",
"Description": "**Amazon EC2 Auto Scaling groups** are evaluated to determine whether their associated **launch configuration** assigns **public IP addresses** to instances (e.g., `AssociatePublicIpAddress=true`).",
"Risk": "**Publicly addressable instances** are reachable from the Internet, enabling reconnaissance, brute-force, and exploitation of exposed services.\n\nCompromise can lead to remote access, **data exfiltration**, and **lateral movement**, impacting **confidentiality**, **integrity**, and **availability**.",
"RelatedUrl": "",
@@ -14,6 +14,7 @@
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsAutoScalingAutoScalingGroup",
"ResourceGroup": "compute",
"Description": "Amazon EC2 Auto Scaling launch configurations are evaluated for **Instance Metadata Service** settings. Instances should have the metadata endpoint `enabled` with `http_tokens=required` (enforcing **IMDSv2**), or have the metadata service `disabled`.\n\nAllowing `http_tokens=optional` or omitting the version leaves legacy access enabled.",
"Risk": "Without enforced **IMDSv2**, **SSRF** and local escape paths can access **IAM role credentials**, enabling unauthorized API calls.\n\nAttackers could:\n- Exfiltrate data with stolen tokens\n- Move laterally and modify resources, degrading confidentiality and integrity",
"RelatedUrl": "",
@@ -11,6 +11,7 @@
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsAutoScalingAutoScalingGroup",
"ResourceGroup": "compute",
"Description": "**EC2 Auto Scaling groups** use **multiple Availability Zones** within a Region, with instances distributed across more than one zone rather than confined to a single zone.",
"Risk": "Relying on a single zone concentrates failure risk and harms **availability**. An AZ outage or capacity shortfall can block replacements and scaling, causing downtime, dropped traffic, and a wider blast radius. Recovery can lag because workloads can't shift to healthy zones.",
"RelatedUrl": "",

Some files were not shown because too many files have changed in this diff Show More